Vulcan icon indicating copy to clipboard operation
Vulcan copied to clipboard

Published 20 hours ago • verified publisher icon VulcanJS

Apollo Server CORS whitelist

Open SachaG opened this issue 5 years ago • 3 comments

I tried specifying the apolloServer.corsWhitelist setting to enable Apollo Studio's Explorer to work. This worked well enough, but GraphQL requests coming from the app itself then started to fail until I explicitly added it.

I think even with the whitelist option specified, we should probably make an exception so that requests coming from the app always work?

SachaG avatar Jul 01 '20 04:07 SachaG

Are you up to date on devel? Will check but I indeed forgot same origin scenario in the first implementation. I think it's fixed in a recent commit.

eric-burel avatar Jul 01 '20 06:07 eric-burel

You should have this:

const corsOptions =
    corsWhitelist && corsWhitelist.length
      ? {
          origin: function(origin, callback) {
            if (!origin) callback(null, true); // same origin
            if (corsWhitelist.indexOf(origin) !== -1) {
              callback(null, true);
            } else {
              callback(new Error('Not allowed by CORS'));
            }
          },
        }
      : process.env.NODE_ENV === 'development';

The case "!origin" correspond to same-origin requests, so the app itself.

eric-burel avatar Jul 01 '20 06:07 eric-burel

I think I've reproduced that in Vulcan Meteor Next Transition, see sample settings: https://github.com/VulcanJS/Vulcan-Starter/blob/33a23bc3c22b6d5d73071d0b7f1c863f01149cc5/sample_settings.json To be investigated by trying to query the Meteor app from itself, eg via graphql playground.

eric-burel avatar Jun 23 '21 10:06 eric-burel